July 29, 2008

Cisco: Remote CLI access without Login/Password

When I configure a bunch of Cisco gears in lab environment, just for fun or testing some new feature, I like the ability to get CLI access with telnet without having to authenticate myself with any username nor password. You can achieve this level of “insecurity” which is totally great for a lab only use simply by changing the VTY’s configuration.

In normal situations you configure VTY to allow remote CLI access to your device like:

Router>
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0 4
Router(config-line)#password Cisco
Router(config-line)#login

and then you login to your device (10.0.0.1) with telnet like:

> telnet 10.0.0.1
Trying 10.0.0.1 ... Open

User Access Verification

Password:
Router>
Router>enable
% No password set

(Don’t forget to set up enable password, otherwise you will not reach the privileged exec mode.)

So, to overcome the login screen, and to gain access without authentication it’s enough to turn off the “login”, simple as:

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line vty 0 4
Router(config-line)#no login

And then the telnet looks like this:

> telnet 10.0.0.1
Trying 10.0.0.1 ... Open

Router>

Well, if you want to make your work even faster, configure a VTY line, so that you will be put directly into a privileged exec mode by setting a VTY’s privilege level to level 15. And don’t forget to turn on one of the greatest CLI feature – the “logging synchronous”. The final configuration then looks like:

Router#sh run | section line vty
line vty 0 4
privilege level 15
logging synchronous
no login

and a telnet login then looks like:

> telnet 10.0.0.1
Trying 10.0.0.1 ... Open

Router#

 

Update (30.8.2008):

I forgot to add the “exec-timeout 0” command. By default, after 15 minutes of inactivity, the device will automatically disconnect your telnet session. With the “exec-timeout” command you can change the default value. If you set it to 0, the device will never try to disconnect your telnet session. It’s very useful on labs. So the final configuration would be:

Router#sh run | section line vty
line vty 0 4
privilege level 15
exec-timeout
logging synchronous

no login

3 comments:

  1. Hello Jozef,


    We have also remember to add
    router#terminal moniotor
    to enable logging on vty sessions.

    What we are using in our lab environment it is secondary address on ethernet interfaces. It allows us to have "profiles in putty" and connect to router with our address, which are not in conflict with lab.

    int f0/0
    no shut
    ip add 10.0.0.4 255.255.255.0
    ip add 1.0.0.4 255.255.255.0 secondary

    It also quite useful to use configure replace command:

    To avoid restarting of the router use the replace config command instead.

    Firstly save config in flash. Be careful TO NOT DELETE FLASH.

    copy run flash:startup.cfg

    Secondly replace the running configuration with previously saved in flash

    conf replace flash:startup.cfg

    Secondly if you want to replace

    ReplyDelete
  2. Now the router should use the saved configuration from flash. The old running config should be erased.

    Note: Sometimes with RSA keys conf replace don’t clear all running config.

    ReplyDelete